Risk Assessments

 View Only
  • 1.  Requesting compliance documentation from vendors

    Posted 03-15-2021 01:29 PM
    I'm wondering if anyone has difficulty in getting vendors to respond to requests for compliance documentation when performing annual vendor risk assessments. How have you been able to overcome this obstacle?


  • 2.  RE: Requesting compliance documentation from vendors

    Posted 03-15-2021 03:12 PM
    That is a great question and I think a very common experience.

    I have found success in 2 ways: 1) tie reviews to contract renewals.  Whenever possible, I look to schedule third party reassessments and associated information gathering to correspond to when contracts are up for renewals or renegotiations.  This adds extra motivation for the third party to respond quickly and fully to requests for due diligence.
    2) Be relentless.  Issues we experience with vendors providing information we take to the business owner with the expectation that they escalate that request. 

    I also will always ask if there is a portal or alternate means to obtain documentation on demand.  So many vendors are moving this way, sometimes its just a matter of finding the right person to give you that access. 

    Good luck and don't give up!  I am interested to see what strategies others have found successful.
    Shelly


  • 3.  RE: Requesting compliance documentation from vendors

    This message was posted by a user wishing to remain anonymous
    Posted 03-15-2021 03:13 PM
    This message was posted by a user wishing to remain anonymous

    We send a letter requesting  the needed documents 30 days prior to review date. If we get no response, we ask the department head to reach out to their vendor to determine the status.  If the documents become overdue, the department head reaches out and again as a reminder that any future payments are being held until the documents are released in accordance to their contract with us.
    For the most part, our critical vendors have given access to us to their portal so we just go in and get the documents needed.


  • 4.  RE: Requesting compliance documentation from vendors

    This message was posted by a user wishing to remain anonymous
    Posted 03-15-2021 03:49 PM
    This message was posted by a user wishing to remain anonymous

    We also have difficulty reaching vendors for annual dude diligence requests. Our process begins with an internal questionnaire to our product manager, followed by an external questionnaire sent to the vendor point of contact. We give the vendor 2 weeks to respond to the external questionnaire (and attach PDFs to the questionnaire). If that yields no results, we reconfirm the point of contact and escalate the request to our Vice President of that department.

    We have found that including right-to-audit and due diligence requirements in a new contract works best. We also have seen an uptick in vendors providing our institution access to a document portal, but you have to know what you are looking for, especially if your company uses more than one of a vendors' products.



  • 5.  RE: Requesting compliance documentation from vendors

    Posted 03-15-2021 03:47 PM

    Hi

      I regularly come across this issue.

    During the onboarding process I have been able to reduce the frequency of this happening by including the provision of due diligence documentation part of the RFI/RFP evaluation criteria

    So if a vendor doesn't respond it significantly impacts their evaluation score.

     

    After the vendor has been onboarded is where I have the greatest challenge.  To address this I have been including a provision within all new and renegotiated contracts requiring the annual submittal of DD documents. So far this appears to be working reasonably well.

     

    Hope this is of assistance

     

    Robin Grimwade

    VP Corporate Programs

    Enterprise Risk Management Office

     

    Confidentiality Notice:  This e-mail message may contain confidential or privileged information. If you have received this message by mistake, please do not review, disclose, copy, or distribute the e-mail.  Instead, please notify us immediately by replying to this message or telephoning us. Thank you.

     

     






  • 6.  RE: Requesting compliance documentation from vendors

    Posted 03-16-2021 06:51 AM
    I have faced resistance from vendors of large stature. They weren't too happy completing due diligence questionnaires and/ or sharing policies.  To make the experience better, I have leveraged the privacy policies available publicly or  SOC reports/ ISO 27001 reports that the vendors have willingly shared, to form my views aka 'assessor comments'. The remaining open items were then discussed with the vendor to arrive at a win- win situation. Hope this helped.


    ------------------------------
    Regards
    Midhu Luke
    ------------------------------



  • 7.  RE: Requesting compliance documentation from vendors

    Posted 03-16-2021 09:17 AM

    This depends on what compliance documents you are asking for. The suppliers that I am responsible for are in a narrow industry band of suppliers that can satisfy my risk assessment by providing reports and certificates for their industry certifications. These are ISO 27001, SSAE 18 (SOC2 Type 2), and others for specific technologies. Most are happy to provide these and they show they have worked with an auditor for the certification. If the auditor is reputable, then this satisfies the risk assessment. This method is relatively painless and I try to point out to my suppliers that there are more draconian ways to get to the same place.  

    A NDA is a prerequisite for doing business to cover the exchange of confidential information. 




  • 8.  RE: Requesting compliance documentation from vendors

    Posted 03-16-2021 07:24 PM
    As others have indicated the best way to handle this is during the RPF cycle and having an inventory of items you wish to see as part of the RFP cycle with a strong weighting in the RFP score as to whether or not they provided the requested document.  

    Post RFP and in the Master Service Agreement, has a section specifically outlining the documents you need and the frequency.  I'll also toss in a 0.05% penalty on invoices for failing the delivery at the given time.  Of course the penalty can be hard to keep in the contract and in these cases you should at least give it an SLA (pass/fail) which is used in your vendor evaluation cycle.